Linux Kernel QLogic QEDE Out-of-Bounds Read Vulnerability

A potential out-of-bounds read vulnerability has been identified in the Linux kernel's QLogic QEDE network driver. This issue arises in the 'qede_tpa_cont()' and 'qede_tpa_end()' functions, where loops iterate over the 'cqe->len_list[]' array using only a zero-length terminator as the stopping condition. If the terminator is missing or malformed, the loop may exceed the bounds of the fixed-size array, leading to undefined behavior. The vulnerability has been addressed by adding an explicit boundary check using ARRAY_SIZE() in both functions, preventing the out-of-bounds access.

Impact

Exploitation of this vulnerability could lead to memory corruption by allowing reads beyond the allocated buffer, potentially causing undefined behavior or application crashes.

Reproduction

The vulnerability can be reproduced by triggering the QLogic QEDE network driver to process a malformed or incomplete 'len_list' array in the 'qede_tpa_cont()' or 'qede_tpa_end()' functions. This can be done by manipulating the data packets received by the network interface in a way that omits the proper terminator, causing the loop to iterate past the end of the array.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. The specific commit addressing this issue is available in the Linux kernel stable tree.